What is CSRF and how do you prevent it?
CSRF (Cross-Site Request Forgery) tricks a logged-in user's browser into sending an unwanted request to a site they're authenticated with, riding on their cookies.
CSRF tokens — a secret token the server checks on each state-changing request; attackers can't guess it.
SameSite cookies — set SameSite=Lax/Strict so cookies aren't sent on cross-site requests.
Verify origin — check Origin/Referer headers for sensitive actions.
Versus XSS: CSRF abuses the user's existing session, rather than injecting scripts.
Know the attack: malicious site submits a form to a site where the user is logged in. Browser sends cookies automatically.
Prevention: SameSite cookies (modern, automatic), CSRF tokens (traditional), and Origin header checks. SameSite=Lax is the default in modern browsers.